* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Malware](https://www2.paloaltonetworks.com/blog/category/malware-2/)
* Dplug Android malware dis...

# Dplug Android malware discovered by WildFire

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2013%2F09%2Fdplug-android-malware-discovered-by-wildfire%2F)  
[](https://twitter.com/share?text=Dplug+Android+malware+discovered+by+WildFire&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2013%2F09%2Fdplug-android-malware-discovered-by-wildfire%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2013%2F09%2Fdplug-android-malware-discovered-by-wildfire%2F&title=Dplug+Android+malware+discovered+by+WildFire&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2013/09/dplug-android-malware-discovered-by-wildfire/&ts=markdown)  
\[\](mailto:?subject=Dplug Android malware discovered by WildFire)  
Link copied  
By [Zhi Xu](https://www.paloaltonetworks.com/blog/author/zhi-xu/?ts=markdown "Posts by Zhi Xu")  
Sep 05, 2013  
8 minutes  
[Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)  
[Mobility](https://www.paloaltonetworks.com/blog/category/mobility/?ts=markdown)  
[Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisory-analysis/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

In July 2013, WildFire detected a new kind of Android Package File (APK) malware named *Dplug*. This malware poses as a system tool app for memory cleaning. Dplug uses SMS to hijack the device's unique identifiers, subscribe to premium services and hide this behavior from the user by blocking the premium service notifications.

By reviewing its behaviors in our WildFire APK sandbox, we observed the following features of this malware. The package name of this detected malware sample is *com.dlwx.clean\_mc.mactivity* , and its package signer is *IadPush*. After installation Dplug will send the device's IMEI and IMSI number to a designated phone number through SMS. It then intercepts all incoming SMS and saves the intercepted SMS messages in a hidden folder on the device's storage card. Further, it blocks incoming SMS messages from two specific premium service numbers belonging to ChinaMobile: 10086 and 1065889955. Another interesting feature is that it provides an auto-confirmation function to premium services that require subscription and SMS confirmation. Besides premium service subscription, the Dplug malware can also push ads to the screen and send customized notifications which are downloaded from remote attack website.

In a typical attack scenario, the attacker first lures the user to install the Dplug malware on the Android device. This is most likely accomplished through the in-app market of the *TTpod* Chinese music player app, found on Google Play. After installation, the malware will fetch a phone number from attacker website and send the device's IMEI and IMSI number to this phone number via SMS messages. With the device information, the attacker can impersonate the victim device to subscribe premium services. For services requiring SMS confirmation, the attacker will deliver the confirmation SMS schema to the malware. When the SMS confirmation message is intercepted, the malware will auto-reply the confirmation code to complete the service subscription. All of the attack behaviors occur in the background. The user will sense nothing related to the service subscription until receiving the monthly bill.

An overview of the reversed malware sample is shown in (Fig 1). The host app part performs the legitimate functions it claims. The attack code is in the *dplug* package. In this Dplug malware sample, a mobile ad library from "http://www.91zan.com" is downloaded from http://cdn.91zan.com/sdk/pi.jar. This ad library also aggressively collects the phone's unique identifiers and uploads the collected information to http://service.91zan.com.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug1.png)  
[![dplug1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug1-230x173.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug1.png)

Fig 1. An overview of reversed Dplug malware sample.

**Technical Details**

**Intercept and block incoming SMS messages**

The malware claims the highest priority of receiving intent *android.provider.Telephony.SMS\_RECEIVED* so that when an incoming SMS message arrives, the malware will intercept the message before other apps. (Fig 2)

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug2.png)  
[![dplug2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug2-230x47.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug2.png)

*Fig 2. Broadcast receiver com.dplug.ptest.DlwxReceiver claims the highest priority for receiving four types of intents in AndroidManifest.xml file*

The intercepted SMS messages are then examined by the *isPinBi()* function in the file *com.dplug.sms.SMSTool.java* . "PinBi" means "shield\*"\* in Chinese. In this function, the malware intercepts SMS coming from two numbers, one is 10086 (a hotline number of China Mobile Communication) and the other is 1065889955 (a notorious malicious premium service subscription number widely used by mobile malware in China). These two numbers are hardcoded in the file *com.dplug.tools.Constant.java* (Fig 3).

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug3.png)  
[![dplug3](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug3-230x51.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug3.png)

*Fig 3. The hardcoded numbers*

If an incoming SMS message is from either number, the malware will block the message from being inserted into the inbox. The purpose is to block the premium service notices sent from carrier such as the premium service subscription notice, service subscription confirmation notice, and billing notices. The victim will not notice the premium services the attacker subscribed to using their phone's identity.

The malware will save the intercepted messages in a "log.txt" file. For each message, the malware will log receive time, sender phone number and the message body (Fig 4).

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug4.png)  
[![dplug4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug4-230x17.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug4.png)

*Fig 4. Examples of intercepted SMS messages in the "log.txt" file*

To hide the logs from being detected, the malware creates a hidden folder in the path *"/mnt/sdcard/Android/.system/.dplug* " and saves the logs there. The file path for "log.txt" is *"/mnt/sdcard/Android/.system/.dplug/log.txt*".

**Send IMEI and IMSI number of device to remote attacker via SMS**

Dplug collects the IMEI and IMSI numbers from the device. The two numbers are sent via SMS to a designated phone number and then retrieved by contacting the URL [http://www.android-3.com:8008/getPhoneNo.do?arg=0\&m=get](http://www.android-3.com:8008/getPhoneNo.do?arg=0&m=get) (Fig 5)

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug5.png)  
[![dplug5](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug5-230x48.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug5.png)

*Fig 5. Retrieve the receiver phone number via www.android-3.com:8008*

With the retrieved number the malware will construct a SMS message and sent out in the background (Fig 6).

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug6.png)  
[![dplug6](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug6-230x19.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug6.png)

*Fig 6. The SMS message sent with IMEI and IMSI number*

With the IMEI, IMSI and phone number, the attacker will impersonate the phone owner and subscribe to premium services. The attacker profits through those premium services.

**Premium service subscription auto-confirmation**

To avoid unnoticed premium service subscription, the carrier will send confirmation SMS messages to the subscriber's phone. This message usually contains the subscription information and a random confirmation number. The user needs to replay this confirmation number in order to confirm the subscription.

To deal with the confirmation requirement, the Dplug malware first downloads an SMS configuration file from the url http://117.135.131.19:8008/sms.do. The configuration file is parsed by the *ParseTool.parseSMSConfig()* function and the parsed information is saved in a *SMSCustom* object. Related source code is shown in (Fig 7).

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug7.png)  
[![dplug7](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug7-230x47.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug7.png)

*Fig. 7 A configuration file downloaded in the doSMS() function of com.dplug.sms.SMSAdapter.java file*

The most important information in the configuration file is the *Forward* information that is described in the *com.dplug.sms.Forward.java* file. It includes the *key* string that is used to identify the confirmation code, and the format of confirmation SMS messages.

The auto confirmation procedure is done in the *com.dplug.sms.SMSTool.java* file. When an incoming SMS containing the *key* string is intercepted, the malware will use the *Forward* information to extract the confirmation code from the incoming message, and then automatically reply to the confirmation SMS sender with the confirmation code extracted (Fig. 8). The confirmation SMS message will also be blocked from being delivered to the inbox.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug8.png)  
[![dplug8](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug8-230x21.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/09/dplug8.png)

*Fig 8. Auto confirmation with extracted confirmation code*

The malware logs all communications between itself and the remote attack servers in the *log.txt* file which is saved in the hidden folder *"/mnt/sdcard/Android/.system/.dplug/ASK/log.txt"*.

**Additional observations**

The observed network communications include:

|----------------------------------------------------------|--------------------------------------------------------------------------|
| URL                                                      | Returned results                                                         |
| http://www.android-3.com:8008/getPhoneNo.do?arg=0\&m=url | "http://218.206.176.241:8084/0901?http://42.121.144.223:88/wyt.jsp"      |
| http://www.android-3.com:8008/getPhoneNo.do?arg=0\&m=get | "get:13241586871"                                                        |
| http://www.android-3.com:8008/3.php?arg=0?cancel=1       | "error"                                                                  |
| http://www.android-3.com:8008/3.php?arg=0?cancel=0       | "error"                                                                  |
| http://www.smqgame.com:888/new.jsp?arg=0?cancel=1        | "OK"                                                                     |
| http://117.135.131.19:8008/sms.do                        | The confirmation message format. IP is still alive. The service is down. |

The Dplug malware requires many permission types including:

* android.permission.WRITE\_EXTERNAL\_STORAGE
* android.permission.ACCESS\_NETWORK\_STATE
* android.permission.INTERNET
* android.permission.KILL\_BACKGROUND\_PROCESSES
* android.permission.FORCE\_STOP\_PACKAGES
* com.android.launcher.permission.INSTALL\_SHORTCUT
* com.android.launcher.permission.UNINSTALL\_SHORTCUT
* com.android.launcher.permission.READ\_SETTINGS
* android.permission.WRITE\_EXTERNAL\_STORAGE
* android.permission.INSTALL\_PACKAGES
* android.permission.DELETE\_PACKAGES
* android.permission.RECEIVE\_BOOT\_COMPLETED
* android.permission.RECEIVE\_USER\_PRESENT
* android.permission.RECEIVE\_SMS
* android.permission.RECEIVE\_USER\_PRESENT
* android.permission.RECEIVE\_SMS
* android.permission.SEND\_SMS
* android.permission.INTERNET
* android.permission.WRITE\_EXTERNAL\_STORAGE
* android.permission.GET\_TASKS
* android.permission.ACCESS\_WIFI\_STATE
* android.permission.CHANGE\_WIFI\_STATE
* android.permission.ACCESS\_NETWORK\_STATE
* android.permission.WRITE\_APN\_SETTINGS
* android.permission.READ\_PHONE\_STATE
* android.permission.CHANGE\_NETWORK\_STATE
* android.permission.ACCESS\_NETWORK\_STATE
* android.permission.INTERNET
* android.permission.SYSTEM\_ALERT\_WINDOW
* android.permission.INTERNET
* android.permission.WRITE\_EXTERNAL\_STORAGE
* android.permission.READ\_PHONE\_STATE
* android.permission.ACCESS\_NETWORK\_STATE
* android.permission.SYSTEM\_ALERT\_WINDOW
* android.permission.GET\_TASKS

Dplug listens to the broadcast of following intents:

* android.intent.action.MAIN
* android.intent.action.PACKAGE\_ADDED
* android.intent.action.PACKAGE\_CHANGED
* android.intent.action.PACKAGE\_REMOVED
* android.intent.action.PACKAGE\_REPLACED
* android.intent.action.PACKAGE\_RESTARTED
* android.intent.action.PACKAGE\_INSTALL
* android.intent.action.BOOT\_COMPLETED
* android.intent.action.USER\_PRESENT
* android.provider.Telephony.SMS\_RECEIVED
* android.intent.action.PHONE\_STATE
* com.dplug.ptest.DlwxService2
* android.intent.action.PACKAGE\_ADDED
* android.intent.action.PACKAGE\_REMOVED
* android.net.conn.CONNECTIVITY\_CHANGE
* com.zan.action.ALARM\_ACTION
* android.intent.action.USER\_PRESENT

**Malware sample availability**

SHA256 value of the detected malicious APK file is:

c87fe742831f52834fe5dcdae6aa96006b129f93cb71b406a68973675d74f62c.

The APK file URL (valid at time of publication) is:

http://d1.ttpod.com/market-file/2013/07/05/and\_cs\_nck/new\_80030004.apk

*Ttpod.com* is a Chinese music player app. The player app is available at Google Play store with name *TTPod* ( https://play.google.com/store/apps/details?id=com.sds.android.ttpod). It is highly likely that this malware sample was downloaded through the in-app market of *TTPod* app.

*** ** * ** ***

## Related Blogs

### [Application Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/application-analysis/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Mobility](https://www.paloaltonetworks.com/blog/category/mobility/?ts=markdown), [Threat Advisories - Advisories](https://www.paloaltonetworks.com/blog/category/threat-advisories-advisories/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Chinese Taomike Monetization Library Steals SMS Messages](https://www2.paloaltonetworks.com/blog/2015/10/chinese-taomike-monetization-library-steals-sms-messages/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### A Day in the Life with Your AgentiX Automation Engineer Agent](https://www2.paloaltonetworks.com/blog/security-operations/a-day-in-the-life-with-your-agentix-automation-engineer-agent/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Beyond the Cloud Dashboard: Exposure Management Requires Full-Scope Visibility and Real Action](https://www2.paloaltonetworks.com/blog/security-operations/beyond-the-cloud-dashboard-exposure-management-requires-full-scope-visibility-and-real-action/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://www2.paloaltonetworks.com/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### The 3Cs of AI Red Teaming: Comprehensive, Contextual \& Continuous](https://www2.paloaltonetworks.com/blog/network-security/the-3cs-of-ai-red-teaming-comprehensive-contextual-continuous/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Securing Shadow AI with Cortex Xpanse](https://www2.paloaltonetworks.com/blog/security-operations/securing-shadow-ai-with-cortex-xpanse/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language